Threat Description

Breplibot.b

Details

Summary

Breplibot.b is a backdoor with bot capabilities. It connects to several IRC servers
and waits for commands from the backdoor author. The backdoor tries to utilize Sony
DRM software for hiding its process, file and registry keys. More information about
Sony DRM can be found here:

The string '$sys' is used for hiding the backdoor using Sony's XCP DRM software. This
is successful only if the DRM is installed after the backdoor. If the DRM is already
installed, the backdoor fails to install itself on system.

The backdoor creates mutex '$sys$drv.exe' for making sure only one copy of the backdoor
runs at the same time. It might also create a mutex named 'SonyEnabled'.

Bot functionality

When the backdoor is active, it connects to an IRC server, joins a certain channel
and acts as a bot there.